rkt · alban · Feb 2, 2016 · Jan 25, 2016
diff --git a/pkg/keystore/keystore.go b/pkg/keystore/keystore.go
@@ -137,7 +137,52 @@ func (ks *Keystore) MaskTrustedKeySystemRoot(fingerprint string) (string, error)
 	return dst, ioutil.WriteFile(dst, []byte(""), 0644)
 }
 
-func (ks *Keystore) TrustedKeyPrefixExists(prefix string, r io.ReadSeeker) (bool, error) {
+// TrustKeyPrefixExists returns whether or not there exists 1 or more trusted
+// keys for a given prefix, or for any parent prefix.
+func (ks *Keystore) TrustedKeyPrefixExists(prefix string) (bool, error) {
+	acidentifier, err := types.NewACIdentifier(prefix)
+	if err != nil {
+		return false, err
+	}
+
+	pathNamesPrefix := []string{
+		// example: /etc/rkt/trustedkeys/prefix.d/coreos.com/etcd
+		path.Join(ks.LocalPrefixPath, acidentifier.String()),
+		// example: /usr/lib/rkt/trustedkeys/prefix.d/coreos.com/etcd
+		path.Join(ks.SystemPrefixPath, acidentifier.String()),
+	}
+
+	for _, p := range pathNamesPrefix {
+		_, err := os.Stat(p)
+		if os.IsNotExist(err) {
+			continue
+		}
+		if err != nil {
+			return false, errwrap.Wrap(fmt.Errorf("cannot check dir %q", p), err)
+		}
+		files, err := ioutil.ReadDir(p)
+		if err != nil {
+			return false, errwrap.Wrap(fmt.Errorf("cannot list files in dir %q", p), err)
+		}
+		for _, f := range files {
+			if !f.IsDir() && f.Size() > 0 {
+				return true, nil
+			}
+		}
+	}
+
+	parentPrefix, _ := path.Split(prefix)
+	parentPrefix = strings.Trim(parentPrefix, "/")
+
+	if parentPrefix != "" {
+		return ks.TrustedKeyPrefixExists(parentPrefix)
+	}
+
+	return false, nil
+}
+
+// TrustedKeyPrefixWithFingerprintExists returns whether or not a trusted key with the fingerprint of the key accessible through r exists for the given prefix.
+func (ks *Keystore) TrustedKeyPrefixWithFingerprintExists(prefix string, r io.ReadSeeker) (bool, error) {
 	defer r.Seek(0, os.SEEK_SET)
 
 	entityList, err := openpgp.ReadArmoredKeyRing(r)

diff --git a/rkt/image/namefetcher.go b/rkt/image/namefetcher.go
@@ -190,11 +190,20 @@ func (f *nameFetcher) fetchVerifiedURL(app *discovery.App, u *url.URL, a *asc) (
 }
 
 func (f *nameFetcher) maybeFetchPubKeys(appName string) {
-	if f.TrustKeysFromHTTPS && !f.InsecureFlags.SkipTLSCheck() {
+	exists, err := f.Ks.TrustedKeyPrefixExists(appName)
+	if err != nil {
+		log.Printf("error checking for existing keys: %v", err)
+		return
+	}
+	if exists {
+		log.Printf("keys already exist for prefix %q, not fetching again", appName)
+		return
+	}
+	if !f.InsecureFlags.SkipTLSCheck() {
 		m := &pubkey.Manager{
 			AuthPerHost:        f.Headers,
 			InsecureAllowHTTP:  false,
-			TrustKeysFromHTTPS: true,
+			TrustKeysFromHTTPS: f.TrustKeysFromHTTPS,
 			Ks:                 f.Ks,
 			Debug:              f.Debug,
 		}
@@ -205,7 +214,12 @@ func (f *nameFetcher) maybeFetchPubKeys(appName string) {
 		if err != nil {
 			log.PrintE("error determining key location", err)
 		} else {
-			if err := m.AddKeys(pkls, appName, pubkey.AcceptForce, pubkey.OverrideDeny); err != nil {
+			accept := pubkey.AcceptAsk
+			if f.TrustKeysFromHTTPS {
+				accept = pubkey.AcceptForce
+			}
+			err := m.AddKeys(pkls, appName, accept)
+			if err != nil {
 				log.PrintE("error adding keys", err)
 			}
 		}
@@ -218,6 +232,10 @@ func (f *nameFetcher) checkIdentity(appName string, ascFile io.ReadSeeker) error
 	}
 	empty := bytes.NewReader([]byte{})
 	if _, err := f.Ks.CheckSignature(appName, empty, ascFile); err != nil {
+		if err == pgperrors.ErrUnknownIssuer {
+			log.Printf("If you expected the signing key to change, try running:")
+			log.Printf("    rkt trust --prefix %q", appName)
+		}
 		if _, ok := err.(pgperrors.SignatureError); !ok {
 			return err
 		}

diff --git a/rkt/image/validator.go b/rkt/image/validator.go
@@ -25,6 +25,7 @@ import (
 	"github.com/appc/spec/aci"
 	"github.com/appc/spec/schema"
 	"golang.org/x/crypto/openpgp"
+	pgperrors "golang.org/x/crypto/openpgp/errors"
 )
 
 // validator is a general image checker
@@ -76,6 +77,10 @@ func (v *validator) ValidateWithSignature(ks *keystore.Keystore, sig io.ReadSeek
 		return nil, errwrap.Wrap(errors.New("error seeking signature file"), err)
 	}
 	entity, err := ks.CheckSignature(v.GetImageName(), v.image, sig)
+	if err == pgperrors.ErrUnknownIssuer {
+		log.Print("If you expected the signing key to change, try running:")
+		log.Print("    rkt trust --prefix <image>")
+	}
 	if err != nil {
 		return nil, err
 	}

diff --git a/rkt/pubkey/pubkey.go b/rkt/pubkey/pubkey.go
@@ -32,6 +32,7 @@ import (
 
 	"github.com/appc/spec/discovery"
 	"golang.org/x/crypto/openpgp"
+	"golang.org/x/crypto/ssh/terminal"
 )
 
 type Manager struct {
@@ -43,18 +44,12 @@ type Manager struct {
 }
 
 type AcceptOption int
-type OverrideOption int
 
 const (
 	AcceptForce AcceptOption = iota
 	AcceptAsk
 )
 
-const (
-	OverrideAllow OverrideOption = iota
-	OverrideDeny
-)
-
 var log *rktlog.Logger
 var stdout *rktlog.Logger = rktlog.New(os.Stdout, "", false)
 
@@ -84,7 +79,7 @@ func (m *Manager) GetPubKeyLocations(prefix string) ([]string, error) {
 }
 
 // AddKeys adds the keys listed in pkls at prefix
-func (m *Manager) AddKeys(pkls []string, prefix string, accept AcceptOption, override OverrideOption) error {
+func (m *Manager) AddKeys(pkls []string, prefix string, accept AcceptOption) error {
 	ensureLogger(m.Debug)
 	if m.Ks == nil {
 		return fmt.Errorf("no keystore available to add keys to")
@@ -101,24 +96,22 @@ func (m *Manager) AddKeys(pkls []string, prefix string, accept AcceptOption, ove
 		}
 		defer pk.Close()
 
-		exists, err := m.Ks.TrustedKeyPrefixExists(prefix, pk)
-		if err != nil {
-			return errwrap.Wrap(fmt.Errorf("error reading the key %s", pkl), err)
-		}
 		err = displayKey(prefix, pkl, pk)
 		if err != nil {
 			return errwrap.Wrap(fmt.Errorf("error displaying the key %s", pkl), err)
 		}
-		if exists && override == OverrideDeny {
-			log.Printf("key %q already in the keystore", pkl)
-			continue
-		}
 
 		if m.TrustKeysFromHTTPS && u.Scheme == "https" {
 			accept = AcceptForce
 		}
 
 		if accept == AcceptAsk {
+			if !terminal.IsTerminal(int(os.Stdin.Fd())) || !terminal.IsTerminal(int(os.Stderr.Fd())) {
+				log.Printf("To trust the key for %q, do one of the following:", prefix)
+				log.Printf(" - call rkt with --trust-keys-from-https")
+				log.Printf(" - run: rkt trust --prefix %q", prefix)
+				return fmt.Errorf("error reviewing key: unable to ask user to review fingerprint due to lack of tty")
+			}
 			accepted, err := reviewKey()
 			if err != nil {
 				return errwrap.Wrap(errors.New("error reviewing key"), err)

diff --git a/rkt/rkt.go b/rkt/rkt.go
@@ -165,7 +165,7 @@ func init() {
 		fmt.Sprintf("comma-separated list of security features to disable. Allowed values: %s",
 			globalFlags.InsecureFlags.PermissibleString()))
 	cmdRkt.PersistentFlags().BoolVar(&globalFlags.TrustKeysFromHTTPS, "trust-keys-from-https",
-		true, "automatically trust gpg keys fetched from https")
+		false, "automatically trust gpg keys fetched from https")
 
 	// Run this before the execution of each subcommand to set up output
 	cmdRkt.PersistentPreRun = func(cmd *cobra.Command, args []string) {

diff --git a/rkt/trust.go b/rkt/trust.go
@@ -98,7 +98,8 @@ func runTrust(cmd *cobra.Command, args []string) (exit int) {
 	if flagSkipFingerprintReview {
 		acceptOpt = pubkey.AcceptForce
 	}
-	if err := m.AddKeys(pkls, flagPrefix, acceptOpt, pubkey.OverrideDeny); err != nil {
+
+	if err := m.AddKeys(pkls, flagPrefix, acceptOpt); err != nil {
 		stderr.PrintE("error adding keys", err)
 		return 1
 	}